I'd also agree, if we could deploy an Azure Public IP as a reservation and then bind the service to that then we'd have further assurance that just redeploying or changing the networking wouldn't change the public IP.

I think this is less of an issue for internal vnets as I typically scope the entire subnet range for network ACLs.